UPDATE: FEB 29, 2016 - Website Babble is not allowing new registrations but will remain open for now. If you want to find out why, click here. If you want to receive updates on what I plan to do with the forum next, go here.

By joining WB you understand that promoting your site is not allowed and you will be banned if you are caught spamming or posting links to your site. Please register first so you can post. All new member posts are moderated.

Hacked Websites

Hello Everyone,

An incident occurred which turned out to be a learning experience and has prompted me to write about it here in the forums.

A few months ago, my website was hacked and mildly defaced. I discovered it within a few hours and it took all of about 30 seconds to upload the backup I kept however it wasn't until yesterday that I made a discovery on what else had changed. My .htaccess file had been altered. In fact because this file had been altered, my site was able to be used to redirect others to upload and install malware undetected.

Now for those that have gone to my site from any links I have provided in forums or directly, you were safe. However, if someone was looking for images in google and had gone to my site from searching the images or through aol or msn, lets hope their anti-virus programs were up to date. When I tested the redirected link, my anti-virus, (I use Avast) went off warning me and blocking the site. Let me explain...

.htaccess is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn 'loaded via the Apache Web Server', then the .htaccess file is detected and executed by the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention. More about the .htaccess file can be found at http://www.javascriptkit.com/howto/htaccess.shtml

Before my site had been hacked, my .htaccess file had read only:

<IfModule mod_php5.c>
# mod_suPHP is active - php.ini overrides must be within these tags or in your local php.ini
# To set a recursive php.ini, add the following line to the top of this file:
# SuPHP_ConfigPath /home/yourusername/foldercontainingphp.ini

The top set of lines redirect users coming to the site from the above search engines to the address on the last line. This might explain also why I was not showing up in the yahoo search engine.

I have snipped out the HTTP reference from the #RewriteRule to prevent this from becoming a link in this message as it contains malware.

In the last set of lines the line <Files 403.shtml> indicates the page denied users are directed too. (403 - Forbidden)

The next section, order allow,deny allow from all: Indicates that all hosts are allowed access.

It is unknown how the site became infected however, research showed that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit. To keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.

So what changes did I make to the .htaccess file?

First I deleted all of the malicious lines redirecting users. Then I changed the next section to read:

<Files .htaccess>
order allow,deny
deny from all
</Files>

This helps prevent anyone from accessing the file.

I also added some more lines to the file that blocks bad bots and site rippers making it harder to harvest email addresses, jack up bandwidth and resources and steal the code from my site.

As malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. It's a good idea to check your .htaccess file periodically if you have one and not just back up your site but back up that .htaccess file as well so you have something to compare it with.

One more thing that I failed to mention. ALWAYS make sure your applications have the latest security patches. I use Dreamweaver to edit my website and while I never did find any malware at the time on my computer. Adobe did have a series of breaches in their software applications that they patched and I'm pretty sure that is how the hack occurred as it happened during that period of time. Upon discovery of the hack, I of course immediately changed the password to the account. Once the patch was applied, the password was again changed.

Talking about Adobe's software patches brought up something that I installed on my machine last night. I installed Secunia's PSI tool (http://secunia.com/vulnerability_scanning/personal). This tool scans my machine and looks for applications that aren't patched, at end-of-life, or insecure, to help me determine what applications I need to update. Very useful. Secunia also contains a huge database of applications and displays information about any vulnerabilities that exist for them, such as with web browsers.